US20080022363A1 - Flexible hardware password protection and access control - Google Patents
Flexible hardware password protection and access control Download PDFInfo
- Publication number
- US20080022363A1 US20080022363A1 US11/483,252 US48325206A US2008022363A1 US 20080022363 A1 US20080022363 A1 US 20080022363A1 US 48325206 A US48325206 A US 48325206A US 2008022363 A1 US2008022363 A1 US 2008022363A1
- Authority
- US
- United States
- Prior art keywords
- password
- access
- memory
- address
- stored
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 230000015654 memory Effects 0.000 claims abstract description 145
- 238000000034 method Methods 0.000 claims abstract description 28
- 238000004891 communication Methods 0.000 description 13
- 238000012544 monitoring process Methods 0.000 description 8
- 230000008569 process Effects 0.000 description 7
- 230000006870 function Effects 0.000 description 6
- 230000008859 change Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 5
- 239000000835 fiber Substances 0.000 description 5
- 230000008901 benefit Effects 0.000 description 4
- 238000004519 manufacturing process Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 230000003139 buffering effect Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 238000012806 monitoring device Methods 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
Definitions
- the invention relates to optic modules, and in particular, to a memory access control in an optic module.
- Optic modules are utilized to perform communication over optic channels. These modules are often expensive and relied upon for important data communication. In other situations or in the future, optic modules may be utilized in consumer applications to increase bandwidth. In all environments, module failure is undesirable and as such, optic modules are often configured with monitoring or diagnostic capability. Such monitoring of one or more of the module outputs, inputs or other factors, such an environment, can predict or detect failure.
- the modules may be equipped with one or more monitoring elements and memory or other data storage elements.
- the modules may store system data, environment data, and threshold values.
- a processor and user interface maybe provided so that a user may access the data values stored in the memory of the module.
- An external host may connect to the module to allow for user interface with the module, such as to input or extract data from the module.
- multiple optic modules may be configured within a single enclosure or unit to service multiple optic fibers. This reduces space consumption, and allows for use of shared resources, such as power supplies and rack slots.
- each optic module if configured in accordance with the standard governing optic modules has the same address and share a common memory.
- the current standard governing optic modules comprises SFF-8472. Stated another way, for the optic module to be standard compliant, which is often a required characteristic, it must be addressed in the exact manner specified in the standard. When multiple optic modules are located within a single enclosure or module, this limitation may undesirably hinder efficient communication between a host and with the modules.
- One additional disadvantage of prior art modules is that the memory locations for an entire module may be access through use of a single password. As such, it is not possible to limit or selectively control access to the numerous different memory locations in the module. This is a drawback because it may be desired to restrict access to certain memory locations for certain individuals, while allowing greater access to other individuals or entities. Moreover, it may be desired to grant certain individuals access to certain locations, while granting other individuals access to entirely different locations.
- the present invention overcomes these drawbacks in the prior art and provides additional benefits.
- a method and apparatus for controlling access to data stored in a memory of an optic module is disclosed.
- this method for controlling access to data stored in a first memory in an optic module is first provided. Then, responsive to providing a password entry to a memory controller, the system reads one or more access level passwords from the first memory or a second memory. This exemplary method of operation then compares the password entry to the one or more access level passwords and, responsive to the comparing not locating a match between the password entry and an access level password, the system denies access to the data stored in the first memory. Alternatively, responsive to the comparing locating a match between the password entry and an access level password, the system grants access to the data stored at the memory addresses defined in an address access range associated with the matched access level password.
- the method further comprises storing a second access level password in the first memory, the second memory, or both.
- the address access range defines to which memory locations access is granted.
- the address access range may define consecutive or non-consecutive memory locations.
- This method may further comprise analyzing a write memory field to determine if write capability is granted to the data stored at the memory access range.
- a memory access control system for controlling access to data in memory in an optic module.
- this system comprises a user interface configured to receive an entered password from a user and one or more memory units configured to stored optic module data and one or more access level data fields. It is contemplated that at least one of the one or more access level data fields is configured to store at least one access level password and an associated address range.
- a comparator is provided as part of this system and configured to compare the entered password to at least one of the at least one access level passwords.
- a controller responsive to the comparison yielding a match between the entered password and at least one access level password associated with an access level, is configured to grant access to the data stored in the address range associated with the matching access level.
- the comparator comprises a controller or processor.
- the address range may comprise a range of address which includes non-consecutive addresses.
- the access level data field may store a write capability field configured to store data that controls write capability for a password.
- at least one of the one or more access level data fields further comprises a first password and an associated first address range and a second password and an associated second address range.
- a multi-level memory access control system for controlling access to data in memory in an optic module.
- the system comprises a user interface configured to receive at least a first entered password and second entered password from one or more users.
- the system also comprises a one or more memory units configured to store optic module data.
- the memory also stores one or more access level data fields such that at least one of the access level data fields is configured to store at least a first stored password and a second stored password.
- An address group is associated with the first stored password and an address group may be associated with the second stored password.
- a controller is part of the system and is configured to compare the first entered password to the stored first password.
- the controller Responsive to a match between the first entered password and the first stored password, the controller is further configured to grant access to the address group associated with the first stored password and then accept a second entered password. The controller then compares the second entered password to the second stored password and responsive to a match between the second entered password and the second stored password, grants access to the address group associated with the second stored password.
- the address group associated with the first password may comprise fewer memory addresses than the combination of the address group associated with the first stored password and the address group associated with the second stored password. Furthermore, access to the address range associated with the second stored password may include the address groups associated with the first stored password.
- this system may further comprise a write field as part of the one or more access level data fields, wherein data in the write field controls memory write capability.
- the controller may comprise a processor configured to execute machine readable code. Also part of this system may be a host configured to receive the first entered password from a user and communicate with more than one optic module via a shared bus.
- FIG. 1 illustrates a block diagram of an example environment of use.
- FIG. 2 illustrates an example embodiment of multiple optic modules controlled by a single host device.
- FIG. 3 illustrates a block diagram of a prior art host to optic module communication arrangement.
- FIG. 4 illustrates an example embodiment of host to optic module control system.
- FIG. 5 illustrates an example embodiment of control system utilized to establish the control line as a module select.
- FIG. 6 illustrates an exemplary memory structure for multilevel password protection within an optic module.
- FIG. 1 illustrates a block diagram of an example environment of use for the method and apparatus disclosed herein.
- This example embodiment comprises an optic module 204 as may be configured to communicate over optic fiber 208 A, 208 B.
- the module 204 may be considered for purposes of discussion as a transmitter, shown at the top of the figure within the module 204 , and a receiver, shown at the bottom of the module.
- a control and monitoring system 250 , 252 is shown generally between the transmitter and receiver and may be considered as shared between the transmitter and receiver portion of the module 204 .
- additional processing, gating, buffering, or other elements may be associated with the module 204 .
- the transmitter comprises a laser driver 212 configured to receive one or more incoming signals on one or more data inputs 216 .
- the laser driver 212 converts an incoming voltage level, representing an outgoing data signal, to an electrical current suitable for driving an optic signal generating device, such as laser diode 220 .
- the laser driver 212 may map the incoming data signal into an electrical current having parameters, namely bias current and modulation current to facilitate driving any optic generator, such as diode 220 .
- the optic signal generator 220 may include a photo detector capable of generating an output that represents one or more aspects of the optic signal generator or the optic signal, such as power level or other factor.
- One or more fibers 208 A connect to the module 204 to receive the outgoing signal from the signal generator 220 . Any type fiber 208 or other transmitter apparatus may be utilized.
- one or more fiber 208 B carrying incoming optic signals connect to a photo detector 230 .
- the photo detector 230 converts the incoming optic signals to electrical signals, which are thereafter provided to a transimpedance amplifier 234 (TIA), which is capable of converting the low magnitude current signal from the detector 230 into a voltage value output signal.
- TIA transimpedance amplifier
- the output of the TIA 234 is forwarded to a limiting amplifier 238 which may serve as the final stage to set the signal level appropriate for additional processing.
- the output of the limiting amplifier 238 is output from the module 204 as an electrical signal at a desired voltage level.
- the output from the photo detector 230 , 220 may connect or be monitored by a diagnostic module 248 associated with the controller aspects of the module 204 . This is discussed below in more detail.
- Assisting with or monitoring one or more aspects of the module 204 are a controller and monitoring aspects 250 , 252 of the module 204 .
- a host (not shown) may communicate over a two wire interface path 240 with a controller 244 .
- the controller 244 may comprise a processor, control logic, or any other element or device capable of performing as described herein.
- the controller 244 communicates with a diagnostic module 248 , which may be configured into a single integrated circuit or ASIC.
- the diagnostic module 248 in connection with the Is controller 244 , may monitor and/or control one or more aspects of the module.
- controller 244 and diagnostic module 248 may also be configured to control or dictate one or more modes or aspects of module operation.
- the module may conform with general application or specification SFF-8472, which comprises a multivendor agreement for providing digital diagnostic and monitoring of the optic module.
- SFF8472 is hereby incorporated by reference.
- the SFF8472 specifies an electrical interface, such as interface 240 , as a two wire serial interface.
- Memory may be associated with the controller 244 and/or diagnostic module 248 to store threshold information and/or current or past data regarding the module, module operation or module environment.
- the locations within the memory may be identified by an address and the module itself may be identified with an address. Access to the memory occurs as described below. Controlled access to the memory is achieved through the process and system described below.
- One or more environment or system monitors 252 may communicate with the module 248 or controller 244 to provide information regarding the module, module environment or device behavior or operation.
- One example of such a monitoring device may be a temperature monitor.
- FIG. 2 illustrates a block diagram of an example embodiment of multiple optic modules controlled by a single host device.
- a single host controller may communicate with multiple modules and via the host controller and the module, selective access to the memory of each module may be achieved.
- a host 304 may comprise any devices capable of communicating with one or more optic modules 308 A, 308 B, 308 N.
- the value of N may comprise any whole number.
- the controller 304 comprises a computer.
- the multiple modules 308 may be contained within a single housing 312 or within a single rack storage unit.
- a shared interface path or line 316 Connecting the host 304 to the modules 308 is a shared interface path or line 316 .
- the interface path comprise a two wire interface path, but in other embodiments other types of interfaces may be utilized.
- the interface 316 is a shared interface, thereby eliminating the need, when combined with a unique addressing scheme, for a separate host for each module.
- a transmit disable line 320 A, 320 B, . . . 320 N from the host 304 to each module 308 A.
- the transmit disable line 320 comprises a direct path or connection into each module (or integrated circuit within the module) that may be utilized to send a signal from the host to the module to disable operation of the module.
- the transmit disable signal may set a flag or bit in a register or in any other manner force the module to disable the signal generator or other element or aspect of operation.
- the host 304 is configured to communicate with each module using a unique address assigned to an optic module 308 .
- the optic modules are each assigned a unique address during manufacture, configuration, and are thus equipped, when installed, with a unique address.
- the module may be configured with a different image stored in a memory, such as EEPROM. Then at start-up, the image is loaded from the memory to modify one or more addresses of data within the module, the module address, or both. While this may or may not be considered standard compliant, it overcomes the drawbacks of the prior art.
- the host 304 intends to communicate with a particular module 308 , it utilizes the modules address in the communication.
- modules 308 may receive the message, only the module with the corresponding address will accept or act on the message.
- the module(s) appear as memory to the host, which may be accessed, written to, or interrogated.
- One type of data which may be stored on the module comprises device identification data. Examples of the type of device identification data that may be found in the module includes, but is not limited to, vendor ID, Part ID, Optic Link information, data rate, and wavelength.
- diagnostic information may also be found in the module, including, but not limited to supply voltage monitor values, temperature monitor values, transmit and receive optic power monitor values, modulation current values, and status flags.
- the address for the serial ID information is at address AOX and the diagnostic information is at A2X.
- the data may also include data that controls operation of the module.
- the optic module may be configured to selectively enable a module or module interface 316 based on another control signal from the host to the module.
- the control signal that may temporarily disable a module's interface path 316 comprises a signal sent via the transmit disable line 320 .
- the module with an active interface may receive a communication from the host that re-writes the module's address to a unique address.
- the process may sequentially occur with the other modules 308 until the all of the modules 308 within the enclosure are assigned unique addresses. Thereafter, each module 308 may be access or communicated with via the shared interface path 316 by a single host. This operation is discussed below in more detail.
- FIG. 3 illustrates an embodiment that also provides for access from a host to an optic module.
- a host controller 104 A, 104 B, . . . 104 N is associated with each optic module 108 A, 108 B, . . . 108 N, where N may represent any whole number.
- a host 104 communicates with a module 108 via a two wire interface 110 A, 110 B, . . . 110 N.
- the optic modules are enclosed within a single enclosure 120 or housing.
- each module 108 prevents module specific addressing from a shared or common host 104 . Because each module is assigned the same address, attempts to utilize a shared bus result in a shared host reading from or writing to every module, even though the intent was to write to single specific module. Controlled access to the memory, such as through the password method and apparatus described herein may occur in the system as shown in FIG. 2 or FIG. 3 .
- FIG. 4 illustrates a block diagram of an example host with optic module. This is but one example embodiment of an optic module equipped for unique address conversion to establish unique module addressing.
- a host 408 may comprise a user interface 416 which may interface with a user of the host, such as a technician or other machine to control the host, which in turn may control or interrogate or interact with the modules 400 .
- the user interface 416 may comprise any element capable of receiving input and providing information regarding the host, module, or both.
- One example of a user interface is a keyboard, mouse, and display.
- the user interface 416 may interact with a processor 412 .
- the processor 412 may interact with an input/output (I/O) 424 which is configured to communicate with a module 400 .
- I/O input/output
- the I/O may utilize a shared two wire interface path 430 , which connects to other modules 400 . This may be referenced as a shared path or a shared interface.
- a control line 434 Also connecting the host 408 and the module 400 is a control line 434 , which in this example embodiment comprise a transmit disable line configured to conduct a transmit disable signal to the module 400 . In other embodiments the control line may comprise a different path.
- the two wire interface path 430 and the control line 434 connect to a module I/O interface 440 configured to achieve communication between the module 400 and the host 408 .
- the interface 440 control and facilitate communication via paths 434 , 430 .
- Also part of the module 400 is a controller or processor 444 , a memory controller 448 , and one more memory units 452 .
- the interface 440 communicates with the memory controller 448 via an address line and a data line, as shown.
- the address line carries a particular memory address to the controller 448
- the data line carries data to the memory 452 , via the controller 448 .
- the interface 440 may also communicate with the processor 444 .
- the processor 444 may comprise any type processor, logic, control circuitry, or ASIC configured to perform as described herein.
- the processor 444 may control one or more aspects of the module 400 as would be understood.
- the processor 444 may be configured with internal memory (not shown) or utilized the memory 452 for storage of data, flag, or other information.
- the memory controller 448 may comprise any type control structure for writing information to or reading information from the memory 452 . Operation of the module may occur as is understood by one of ordinary skill in the art.
- the module is assigned a predetermined address. All standard compliant modules are assigned the same address. As can be appreciated, in the configuration of FIG. 2 , attempting to communicate with a single particular module when all the modules share the same address, is simply not possible. Accordingly, the method and apparatus described herein, and discussed below in relation to FIG. 3 overcomes this drawback.
- the host 408 connects to the module via the two wire interface path 430 and the transmit disable line 434 . Operation of the module may not yet have commenced at this stage, although installation may have occurred. In other embodiment, operation may have commenced.
- the host 408 sends a signal via the transmit disable path 434 to the module 400 to cause the module to enter into a reconfiguration state.
- the module 400 is configured with logic, software, hardware, or a combination of these elements to interpret this incoming control signal to enable to module to have the modules address re-written.
- the housing may contain four modules 400 , each of which have a transmit disable line 434 connected to the host.
- the modules 400 are configured with logic or other means to identify when a control signal is being sent to the modules.
- a control signal such as the transmit disable line goes high, the module 400 enters a write mode allowing the two line interface to re-write the address for the module with a unique address.
- the host 408 may sequentially force only one transmit disable line (control line) high at a time thereby allowing the host to sequentially re-write the addresses for each of the modules with unique addresses.
- the signal on the transmit disable line sets a bit or flag in the module to an alternate state which signifies to the modules that the address for the module is to be re-written.
- the module may be configured such that a high state or setting the transmit disable flag may disable the I/O interface for the module. If only one module that connects to the host is left with an active I/O, such as an active interface 440 , then as a result, the host may re-write the address of this module without re-writing the addresses of the other modules also connected to the host. This process of selectively de-activating all of the I/O interfaces 440 , except one, and re-writing the address with a unique address may be repeated until each of the modules has a unique address.
- the module is not yet active, during the module address re-write process, and hence, operation is not disrupted. In other modes of operation, the module may be active, i.e. transmitting and/or receiving optic signals during the address change operation.
- an initial write operation is performed to a default address using the two line interface path.
- This write operation to each module which may occur over the shared two line interface path, forces each module to interpret the transmit disable signal as a chip select instead of a signal to disable operation of the module.
- This write operation may comprise setting a flag or a registering bit.
- the transmit disable line becomes the module select thereby allowing the state (high/low) of transmit disable line, or a signal on the transmit disable line, to control if a module may receive communication from the host.
- the address of each module may be changed to a unique address.
- a signal is sent from the host to each module restoring the transmit disable path to its original function, namely, disabling operation of the module. This may occur by the module being sent a signal that reverses the effect original signal that changed the configuration of the transmit disable line, and/or by re-writing a memory location or register to return the transmit disable line to its function as a transmit disable line, instead of a module select line.
- a configuration bit is set to control the function of the transmit disable line.
- the function of the transmit disable line is controlled by a control line status bit, which may be controlled by the host via the two line interface.
- the module may be configured with a status bit register or a location in memory, that may be modified by the host to control the function of the control line, such as a transmit disable line.
- the memory controller 448 , the I/O interface, or any other element performs an address indirection or modification from the address specified via the two line interface path 430 .
- the address specified by the host via the two line interface may be processed to generate a different address.
- a look-up table is utilized to select or convert memory addresses.
- a FIFO memory allocation unit with address tracking is utilized to assign memory locations different than that those specified by the host.
- an address translation table is utilized.
- the interface 440 may be configured to provide a device address and a data address.
- the device address may define a particular IC, a device within the module.
- the data address may define a memory location.
- the memory, memory controller 448 , and processor 444 may accept a password from a user and compare the password to one or more access level passwords that are stored in the memory 452 or other memory. If a match is found, then the access to the memory range or addresses associated with that access level. Access may occur over a shared bus as shown in FIG. 2 or FIG. 3 .
- FIG. 5 illustrates an example embodiment of control system utilized to establish the control line as a module select.
- the two, line interface path 504 may connect to logic 508 , which may optionally be equipped with memory.
- the signal on the two line interface path 504 may set a memory location or other logic element in the logic 508 to thereby generate an output to the logic element 520 .
- element 520 comprises a AND gate and the input to the AND gate may be inverted to facilitate proper operation.
- the tx disable line 524 also connects to the logic 508 which, when combined with the signal on path 540 , forces the logic 508 to output a signal to element 520 .
- the tx disable line 524 may not connect to the logic 508 and, as a result, only the signals on path 504 cause the logic to establish the output from the logic to the logic element 520 .
- the element 520 upon receiving only the transmit disable signal, treats the transmit disable input a signal instructing the module to shutdown or be disabled. In contrast, when the signal on the transmit disable path 524 and the signal from the logic 508 are both high, then the signal on the transmit disable path operates as a module select. It is contemplated that the logic 508 and logic element 520 may comprise any type logic, processor, ASCI, controller or any combination thereof that is capable of functioning as described herein. The elements 508 and 520 may comprise hardware, software, or a combination of both. A logic element
- the combination of a particular two line interface signal via path 504 in combination with the transit disable signal on path 524 causes the logic 508 to generate a module select signal thereby either disabling the module or enabling the module or the modules two line communication path or interface.
- a module select signal By generating a module select signal with the logic 508 , a single module, from multiple modules connected to a host, may be activated at a particular time, thereby allowing the host to selectively change the address of a particular active module.
- a particular signal may be sent to the logic 508 via path 504 to set the logic or a status bit.
- This signal changes operation of the control line, such as the tx disable line. This may occur, for all the modules, at the same time, to thereby disable the tx disable line of all modules from functioning as a module disable line. Instead a signal sent via the transmit disable path functions as a module select line. Accordingly, all of the modules may then be disabled, except for one, which may be enabled.
- the host may then change the address of the enabled module via path 504 by re-writing the address location with the new address. This may occur for each module to establish a unique address for each module.
- the two line interface path 504 may send a signal to the logic which restores operation of the tx disable path as a path for signals to disable the module, instead of serving as a module select line to facilitate module address changes.
- a command from the host to all of the modules is sent via the two line path.
- all the modules receive the command because all modules have the same address.
- the command instructs all modules to set a status bit or register value to enter a state wherein a signal on the transmit disable path may disable or enable the two wire communication interface of the module.
- Using the transmit disable path in this manner allows the host to select a particular module while disabling all others, to change the address of that particular module. This process may be repeated. After all modules have had their address changed, all the modules interfaces may be enabled and a command may be sent from host to the modules to restore operation of the transmit disable path to default mode.
- FIG. 6 illustrates an exemplary memory structure for multilevel password protection within an optic module. This is but one possible embodiment of a multilevel password protection scheme for an optic module.
- a user input 604 is provided to an interface 608 .
- the interface 608 is configured to provide access or allow for attempted access by a user or other device to the memory 620 . It is contemplated that a user may physically enter a password, such as with a keyboard, or another electronic device may electronically enter the password.
- Interfaces 608 such as a user interface, are generally understood in the art and hence not described in detail.
- the interface 608 connects to a memory controller 612 , which in turn connects to the memory 620 .
- the memory controller 612 may also connect to one or more additional memories 622 .
- the memory controller 612 which may also be referred to as a memory interface, controls access to the memory and performs read/write control.
- the memory controller 612 includes compare logic capable of comparing a password input by a user or other device via the interface 608 with one or more passwords stored in a memory, such as the memory 612 .
- the memory controller 612 may also be configured with one or more registers or storage locations, such as the memory 620 or memory 622 .
- the memory 620 may comprise any type memory. Within the memory 620 are numerous memory locations which may be accessed via the interface 608 . To provided controlled or password based access to the memory 620 , one or more password level control blocks 630 A- 630 N are provided in memory to store memory access control data. Any number of access levels A through N may be provided where N is any whole number.
- access level 630 A which is stored it memory 620 , it contains various data fields 634 , 638 , 642 , 646 which define access for a user having top level access.
- the term top level access is defined to mean access to all or mostly all memory locations 620 .
- Other levels of access which may be defined in any manner, are discussed below.
- the password field 634 is configured to store a password which, if input correctly to the memory controller, will grant access to the address range shown in the address access range field 646 .
- access level block 630 A which is the top level access, the user would have access to all memory locations because the values or data located in field 646 indicates access to all accessible memory locations.
- Read access field 638 stores data, such as a bit or flag, that controls whether the user having the matching password of field 634 has capability to read from the memory locations set forth in the address access range field 646 .
- Write access field 642 stores data, such as a bit or flag, that controls whether a user having or using the matching password of field 634 has capability to write from the memory locations set forth in the address access range field 646 .
- selective read and write control may be provided to users depending on the password level to which they are granted.
- access level block 630 A is a top level access, it is contemplated that the user would have both read and write capability.
- Field 646 comprises the address access range that corresponds to the password in field 634 .
- the range of addresses to which a user having or entering the password may be defined as any range, or select group of memory locations, which need not be consecutive.
- block 630 A which is the top level access, all memory addresses may be fully accessible.
- Access level block 630 B is generally similar to block 630 A, but it is not a top level access, i.e. it may or may not grant full access to all memory locations within the memory.
- a unique level 1 password may be stored in field 634 B. This password, if correctly supplied, grants a user access to the address range or address list in access range field 646 B.
- the read access field and write access field 638 B, 642 B control the type of access granted by the password level 1 . Namely, field 624 B indicates whether read access is granted while field 642 B grants whether write access is granted.
- the memory 620 may contain any number of different access level blocks 630 N to provide the desired level of memory control resolution as desired. In this manner, different users or individuals having access to the memory may be granted different levels or degrees of access to the memory which is controlled by the passwords. This controls access, to sensitive or private data and settings, to those with proper authority to view such information.
- the access to memory may overlap because each access range 642 is independent of the other access ranges.
- each access level may have additional passwords and associated address access ranges.
- a vendor may require access to the optic module, but the vendor may want different levels of access control.
- a first access level password may grant access to a first address range while a second password may grant access to a second address range.
- a vendor manager may receive access to all the vendor specific address ranges while a vendor technician may receive access only a limited subset of the addresses granted to the manager.
- each access level may have multiple passwords each of which grant access to different or overlapping memory addresses. In one embodiment, the passwords are stair stepped to grant sequentially greater access.
- a first password will grant access to a first address group
- a second password will grant access to a second address group, which provides greater access than the first address group.
- This stair step access may continue to any number of levels. In other embodiments, the access granted by each password may not overlap with other ranges.
- an optic module with password control is provided.
- an access control scheme is provided as described herein.
- various levels of access are established using the user interface or other mean, such as prior to or after install, or during manufacture.
- a top access level in addition to level 1 through level N are established with passwords and stored in fields 634 through 634 N for the various access levels.
- address access will be established and stored in fields 646 through 646 N.
- the memory controller 612 may receive the password and perform a comparison to the passwords stored and located in the memory 620 in the memory locations 634 - 634 N. Alternatively the access level data may be stored in memory 622 . If the comparison returns a match between an access level password and the password input by the user, then user is granted access to the memory locations associated with that access level. For example, if the password typed in by the user matches the address located in level 1 634 B, then the user would be granted access to the memory addresses stored in field 646 B. Additional passwords may be entered to gain greater or different access to the data stored in the memory. A similar password comparison process would occur.
- Read and write access would be controlled by the fields 638 B and 642 B. It is contemplated that an appropriate software and screen display interface may be provided to accept the password, and provide interaction between the system and the user. If the comparison does not result in a match, then the user is denied access to the memory.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
Description
- The invention relates to optic modules, and in particular, to a memory access control in an optic module.
- Optic modules are utilized to perform communication over optic channels. These modules are often expensive and relied upon for important data communication. In other situations or in the future, optic modules may be utilized in consumer applications to increase bandwidth. In all environments, module failure is undesirable and as such, optic modules are often configured with monitoring or diagnostic capability. Such monitoring of one or more of the module outputs, inputs or other factors, such an environment, can predict or detect failure.
- To facilitate monitoring, the modules may be equipped with one or more monitoring elements and memory or other data storage elements. The modules may store system data, environment data, and threshold values. A processor and user interface maybe provided so that a user may access the data values stored in the memory of the module. An external host may connect to the module to allow for user interface with the module, such as to input or extract data from the module.
- As is commonly understood, multiple optic modules may be configured within a single enclosure or unit to service multiple optic fibers. This reduces space consumption, and allows for use of shared resources, such as power supplies and rack slots.
- Although multiple optic modules may be located within a single enclosure or unit, one drawback to prior art system is that each optic module, if configured in accordance with the standard governing optic modules has the same address and share a common memory. The current standard governing optic modules comprises SFF-8472. Stated another way, for the optic module to be standard compliant, which is often a required characteristic, it must be addressed in the exact manner specified in the standard. When multiple optic modules are located within a single enclosure or module, this limitation may undesirably hinder efficient communication between a host and with the modules.
- One additional disadvantage of prior art modules is that the memory locations for an entire module may be access through use of a single password. As such, it is not possible to limit or selectively control access to the numerous different memory locations in the module. This is a drawback because it may be desired to restrict access to certain memory locations for certain individuals, while allowing greater access to other individuals or entities. Moreover, it may be desired to grant certain individuals access to certain locations, while granting other individuals access to entirely different locations.
- The present invention overcomes these drawbacks in the prior art and provides additional benefits.
- To overcome the drawbacks of the prior art, a method and apparatus for controlling access to data stored in a memory of an optic module is disclosed. In one embodiment of this method for controlling access to data stored in a first memory in an optic module is first provided. Then, responsive to providing a password entry to a memory controller, the system reads one or more access level passwords from the first memory or a second memory. This exemplary method of operation then compares the password entry to the one or more access level passwords and, responsive to the comparing not locating a match between the password entry and an access level password, the system denies access to the data stored in the first memory. Alternatively, responsive to the comparing locating a match between the password entry and an access level password, the system grants access to the data stored at the memory addresses defined in an address access range associated with the matched access level password.
- In one embodiment, the method further comprises storing a second access level password in the first memory, the second memory, or both. In addition, the address access range defines to which memory locations access is granted. The address access range may define consecutive or non-consecutive memory locations. This method may further comprise analyzing a write memory field to determine if write capability is granted to the data stored at the memory access range.
- Also disclosed herein is a memory access control system for controlling access to data in memory in an optic module. In one embodiment this system comprises a user interface configured to receive an entered password from a user and one or more memory units configured to stored optic module data and one or more access level data fields. It is contemplated that at least one of the one or more access level data fields is configured to store at least one access level password and an associated address range. Furthermore, a comparator is provided as part of this system and configured to compare the entered password to at least one of the at least one access level passwords. A controller, responsive to the comparison yielding a match between the entered password and at least one access level password associated with an access level, is configured to grant access to the data stored in the address range associated with the matching access level.
- In one variation, the comparator comprises a controller or processor. In addition, the address range may comprise a range of address which includes non-consecutive addresses. The access level data field may store a write capability field configured to store data that controls write capability for a password. There may be multiple memories and hence in one embodiment at least one access level password is stored in a first memory and the optic module data is stored in a second memory. Furthermore, in one configuration at least one of the one or more access level data fields further comprises a first password and an associated first address range and a second password and an associated second address range.
- In another embodiment, a multi-level memory access control system for controlling access to data in memory in an optic module is disclosed. In this embodiment the system comprises a user interface configured to receive at least a first entered password and second entered password from one or more users. The system also comprises a one or more memory units configured to store optic module data. The memory also stores one or more access level data fields such that at least one of the access level data fields is configured to store at least a first stored password and a second stored password. An address group is associated with the first stored password and an address group may be associated with the second stored password. Furthermore, a controller is part of the system and is configured to compare the first entered password to the stored first password. Responsive to a match between the first entered password and the first stored password, the controller is further configured to grant access to the address group associated with the first stored password and then accept a second entered password. The controller then compares the second entered password to the second stored password and responsive to a match between the second entered password and the second stored password, grants access to the address group associated with the second stored password.
- In this system the address group associated with the first password may comprise fewer memory addresses than the combination of the address group associated with the first stored password and the address group associated with the second stored password. Furthermore, access to the address range associated with the second stored password may include the address groups associated with the first stored password. As set forth below in more detail, this system may further comprise a write field as part of the one or more access level data fields, wherein data in the write field controls memory write capability. It is contemplated that the controller may comprise a processor configured to execute machine readable code. Also part of this system may be a host configured to receive the first entered password from a user and communicate with more than one optic module via a shared bus.
- Other systems, methods, features and advantages of the invention will be or will become apparent to one with skill in the art upon examination of the following figures and detailed description. It is intended that all such additional systems, methods, features and advantages be included within this description, be within the scope of the invention, and be protected by the accompanying claims. The features and elements disclosed herein may be enabled or claimed individually or in any combination.
- The components in the figures are not necessarily to scale, emphasis instead being placed upon illustrating the principles of the invention. In the figures, like reference numerals designate corresponding parts throughout the different views.
-
FIG. 1 illustrates a block diagram of an example environment of use. -
FIG. 2 illustrates an example embodiment of multiple optic modules controlled by a single host device. -
FIG. 3 illustrates a block diagram of a prior art host to optic module communication arrangement. -
FIG. 4 illustrates an example embodiment of host to optic module control system. -
FIG. 5 illustrates an example embodiment of control system utilized to establish the control line as a module select. -
FIG. 6 illustrates an exemplary memory structure for multilevel password protection within an optic module. -
FIG. 1 illustrates a block diagram of an example environment of use for the method and apparatus disclosed herein. This example embodiment comprises anoptic module 204 as may be configured to communicate overoptic fiber module 204 may be considered for purposes of discussion as a transmitter, shown at the top of the figure within themodule 204, and a receiver, shown at the bottom of the module. A control andmonitoring system module 204. Although not shown, additional processing, gating, buffering, or other elements may be associated with themodule 204. - In this example embodiment the transmitter comprises a
laser driver 212 configured to receive one or more incoming signals on one ormore data inputs 216. Thelaser driver 212 converts an incoming voltage level, representing an outgoing data signal, to an electrical current suitable for driving an optic signal generating device, such aslaser diode 220. Thelaser driver 212 may map the incoming data signal into an electrical current having parameters, namely bias current and modulation current to facilitate driving any optic generator, such asdiode 220. - It is contemplated that the
optic signal generator 220 may include a photo detector capable of generating an output that represents one or more aspects of the optic signal generator or the optic signal, such as power level or other factor. One ormore fibers 208A connect to themodule 204 to receive the outgoing signal from thesignal generator 220. Any type fiber 208 or other transmitter apparatus may be utilized. - Turning now to the receiver aspects of the
module 204, one ormore fiber 208B carrying incoming optic signals connect to aphoto detector 230. Thephoto detector 230 converts the incoming optic signals to electrical signals, which are thereafter provided to a transimpedance amplifier 234 (TIA), which is capable of converting the low magnitude current signal from thedetector 230 into a voltage value output signal. The output of theTIA 234 is forwarded to a limitingamplifier 238 which may serve as the final stage to set the signal level appropriate for additional processing. The output of the limitingamplifier 238 is output from themodule 204 as an electrical signal at a desired voltage level. - The output from the
photo detector diagnostic module 248 associated with the controller aspects of themodule 204. This is discussed below in more detail. - Assisting with or monitoring one or more aspects of the
module 204 are a controller andmonitoring aspects module 204. In this embodiment a host (not shown) may communicate over a twowire interface path 240 with acontroller 244. Thecontroller 244 may comprise a processor, control logic, or any other element or device capable of performing as described herein. Thecontroller 244 communicates with adiagnostic module 248, which may be configured into a single integrated circuit or ASIC. Thediagnostic module 248, in connection with theIs controller 244, may monitor and/or control one or more aspects of the module. - It is contemplated that the
controller 244 anddiagnostic module 248 may also be configured to control or dictate one or more modes or aspects of module operation. In one embodiment the module may conform with general application or specification SFF-8472, which comprises a multivendor agreement for providing digital diagnostic and monitoring of the optic module. SFF8472 is hereby incorporated by reference. The SFF8472 specifies an electrical interface, such asinterface 240, as a two wire serial interface. - Memory may be associated with the
controller 244 and/ordiagnostic module 248 to store threshold information and/or current or past data regarding the module, module operation or module environment. The locations within the memory may be identified by an address and the module itself may be identified with an address. Access to the memory occurs as described below. Controlled access to the memory is achieved through the process and system described below. - One or more environment or system monitors 252 may communicate with the
module 248 orcontroller 244 to provide information regarding the module, module environment or device behavior or operation. One example of such a monitoring device may be a temperature monitor. -
FIG. 2 illustrates a block diagram of an example embodiment of multiple optic modules controlled by a single host device. By implementing the method and apparatus as described herein, a single host controller may communicate with multiple modules and via the host controller and the module, selective access to the memory of each module may be achieved. - As shown, a
host 304 may comprise any devices capable of communicating with one or moreoptic modules controller 304 comprises a computer. The multiple modules 308 may be contained within asingle housing 312 or within a single rack storage unit. - Connecting the
host 304 to the modules 308 is a shared interface path orline 316. In this example embodiment the interface path comprise a two wire interface path, but in other embodiments other types of interfaces may be utilized. In this embodiment theinterface 316 is a shared interface, thereby eliminating the need, when combined with a unique addressing scheme, for a separate host for each module. Also provided is a transmit disableline host 304 to eachmodule 308A. In the embodiment described herein the transmit disable line 320 comprises a direct path or connection into each module (or integrated circuit within the module) that may be utilized to send a signal from the host to the module to disable operation of the module. This may be useful, during operation, to disable the signal generator during repair, reset, testing, or for any other reason. It is contemplated that the transmit disable signal may set a flag or bit in a register or in any other manner force the module to disable the signal generator or other element or aspect of operation. - In the embodiment of
FIG. 2 , thehost 304 is configured to communicate with each module using a unique address assigned to an optic module 308. In one embodiment the optic modules are each assigned a unique address during manufacture, configuration, and are thus equipped, when installed, with a unique address. For example, the module may be configured with a different image stored in a memory, such as EEPROM. Then at start-up, the image is loaded from the memory to modify one or more addresses of data within the module, the module address, or both. While this may or may not be considered standard compliant, it overcomes the drawbacks of the prior art. When thehost 304 intends to communicate with a particular module 308, it utilizes the modules address in the communication. Although all modules 308 may receive the message, only the module with the corresponding address will accept or act on the message. In one embodiment the module(s) appear as memory to the host, which may be accessed, written to, or interrogated. One type of data which may be stored on the module comprises device identification data. Examples of the type of device identification data that may be found in the module includes, but is not limited to, vendor ID, Part ID, Optic Link information, data rate, and wavelength. In addition, diagnostic information may also be found in the module, including, but not limited to supply voltage monitor values, temperature monitor values, transmit and receive optic power monitor values, modulation current values, and status flags. In one embodiment the address for the serial ID information is at address AOX and the diagnostic information is at A2X. The data may also include data that controls operation of the module. - In standard compliant modules, all modules have the same addresses, which inhibit communication with only a particular module via
path 316. Thus standard compliant devices all have or are equipped with the same address, which prevents use of a shared bus. As a result, in one embodiment, the optic module may be configured to selectively enable a module ormodule interface 316 based on another control signal from the host to the module. In one embodiment, the control signal that may temporarily disable a module'sinterface path 316 comprises a signal sent via the transmit disable line 320. When the interface aspects of all but one module 308 are disabled, the module with an active interface may receive a communication from the host that re-writes the module's address to a unique address. The process may sequentially occur with the other modules 308 until the all of the modules 308 within the enclosure are assigned unique addresses. Thereafter, each module 308 may be access or communicated with via the sharedinterface path 316 by a single host. This operation is discussed below in more detail. -
FIG. 3 illustrates an embodiment that also provides for access from a host to an optic module. In this embodiment, ahost controller optic module wire interface single enclosure 120 or housing. - As a drawback to prior art configurations, use of the same address by each module 108, prevents module specific addressing from a shared or common host 104. Because each module is assigned the same address, attempts to utilize a shared bus result in a shared host reading from or writing to every module, even though the intent was to write to single specific module. Controlled access to the memory, such as through the password method and apparatus described herein may occur in the system as shown in
FIG. 2 orFIG. 3 . - Although possible solutions to this drawback have been proposed, such solutions are viewed as undesirable. One such possible solution is to utilize a separate host for each module, such as shown in
FIG. 1 . As can be appreciated, this solution is not cost or space effective since a host must be associated with each module. Another solution is to have a technician physically disconnect a shared host from a first module to a second module to allow communication with the second module. Likewise, a technician may physically actuate an external switch that interconnects the various modules to the shared host. Although these options are possible options, it is clear that in reality these are not a desirable or economically options. -
FIG. 4 illustrates a block diagram of an example host with optic module. This is but one example embodiment of an optic module equipped for unique address conversion to establish unique module addressing. After reading the description provided herein, one of ordinary skill in the art may devise other systems or methods for establishing a unique address, without departing from the scope of the claims that follow. As shown inFIG. 4 , ahost 408 may comprise auser interface 416 which may interface with a user of the host, such as a technician or other machine to control the host, which in turn may control or interrogate or interact with themodules 400. Theuser interface 416 may comprise any element capable of receiving input and providing information regarding the host, module, or both. One example of a user interface is a keyboard, mouse, and display. - The
user interface 416 may interact with aprocessor 412. Theprocessor 412 may interact with an input/output (I/O) 424 which is configured to communicate with amodule 400. As referenced inFIG. 2 , the I/O may utilize a shared twowire interface path 430, which connects toother modules 400. This may be referenced as a shared path or a shared interface. Also connecting thehost 408 and themodule 400 is acontrol line 434, which in this example embodiment comprise a transmit disable line configured to conduct a transmit disable signal to themodule 400. In other embodiments the control line may comprise a different path. - The two
wire interface path 430 and thecontrol line 434 connect to a module I/O interface 440 configured to achieve communication between themodule 400 and thehost 408. Theinterface 440 control and facilitate communication viapaths module 400 is a controller orprocessor 444, amemory controller 448, and onemore memory units 452. In this example embodiment, theinterface 440 communicates with thememory controller 448 via an address line and a data line, as shown. The address line carries a particular memory address to thecontroller 448, while the data line carries data to thememory 452, via thecontroller 448. Theinterface 440 may also communicate with theprocessor 444. - The
processor 444 may comprise any type processor, logic, control circuitry, or ASIC configured to perform as described herein. Theprocessor 444 may control one or more aspects of themodule 400 as would be understood. Theprocessor 444 may be configured with internal memory (not shown) or utilized thememory 452 for storage of data, flag, or other information. Thememory controller 448 may comprise any type control structure for writing information to or reading information from thememory 452. Operation of the module may occur as is understood by one of ordinary skill in the art. - For a
module 400 to be standard compliant, the module is assigned a predetermined address. All standard compliant modules are assigned the same address. As can be appreciated, in the configuration ofFIG. 2 , attempting to communicate with a single particular module when all the modules share the same address, is simply not possible. Accordingly, the method and apparatus described herein, and discussed below in relation toFIG. 3 overcomes this drawback. - In one example method of operation, the
host 408 connects to the module via the twowire interface path 430 and the transmit disableline 434. Operation of the module may not yet have commenced at this stage, although installation may have occurred. In other embodiment, operation may have commenced. - In one embodiment, the
host 408 sends a signal via the transmit disablepath 434 to themodule 400 to cause the module to enter into a reconfiguration state. Themodule 400 is configured with logic, software, hardware, or a combination of these elements to interpret this incoming control signal to enable to module to have the modules address re-written. - For example, the housing may contain four
modules 400, each of which have a transmit disableline 434 connected to the host. Themodules 400 are configured with logic or other means to identify when a control signal is being sent to the modules. When a control signal is sent, such as the transmit disable line goes high, themodule 400 enters a write mode allowing the two line interface to re-write the address for the module with a unique address. Thehost 408 may sequentially force only one transmit disable line (control line) high at a time thereby allowing the host to sequentially re-write the addresses for each of the modules with unique addresses. - In one embodiment, the signal on the transmit disable line sets a bit or flag in the module to an alternate state which signifies to the modules that the address for the module is to be re-written. For example, the module may be configured such that a high state or setting the transmit disable flag may disable the I/O interface for the module. If only one module that connects to the host is left with an active I/O, such as an
active interface 440, then as a result, the host may re-write the address of this module without re-writing the addresses of the other modules also connected to the host. This process of selectively de-activating all of the I/O interfaces 440, except one, and re-writing the address with a unique address may be repeated until each of the modules has a unique address. In one embodiment, the module is not yet active, during the module address re-write process, and hence, operation is not disrupted. In other modes of operation, the module may be active, i.e. transmitting and/or receiving optic signals during the address change operation. - In one embodiment, an initial write operation is performed to a default address using the two line interface path. This write operation to each module, which may occur over the shared two line interface path, forces each module to interpret the transmit disable signal as a chip select instead of a signal to disable operation of the module. This write operation may comprise setting a flag or a registering bit. When a module is configured in this manner, the transmit disable line becomes the module select thereby allowing the state (high/low) of transmit disable line, or a signal on the transmit disable line, to control if a module may receive communication from the host. By enabling only a single module at a time, and disabling the other modules, the address of each module may be changed to a unique address.
- After the host re-writes the address of each modules to a unique address, a signal is sent from the host to each module restoring the transmit disable path to its original function, namely, disabling operation of the module. This may occur by the module being sent a signal that reverses the effect original signal that changed the configuration of the transmit disable line, and/or by re-writing a memory location or register to return the transmit disable line to its function as a transmit disable line, instead of a module select line. In one embodiment a configuration bit is set to control the function of the transmit disable line. In this embodiment the function of the transmit disable line is controlled by a control line status bit, which may be controlled by the host via the two line interface. The module may be configured with a status bit register or a location in memory, that may be modified by the host to control the function of the control line, such as a transmit disable line.
- In one embodiment, the
memory controller 448, the I/O interface, or any other element performs an address indirection or modification from the address specified via the twoline interface path 430. As a result, the address specified by the host via the two line interface may be processed to generate a different address. This provides the benefit of a more flexible address scheme, as compared to the standard compliant devices, and may provide for a greater range of memory allocation and expansion. In one embodiment a look-up table is utilized to select or convert memory addresses. In one embodiment a FIFO memory allocation unit with address tracking is utilized to assign memory locations different than that those specified by the host. In one embodiment an address translation table is utilized. - As shown, the
interface 440 may be configured to provide a device address and a data address. The device address may define a particular IC, a device within the module. The data address may define a memory location. - As discussed below in more detail, to selectively control access to the
memory 452, the memory,memory controller 448, andprocessor 444 may accept a password from a user and compare the password to one or more access level passwords that are stored in thememory 452 or other memory. If a match is found, then the access to the memory range or addresses associated with that access level. Access may occur over a shared bus as shown inFIG. 2 orFIG. 3 . -
FIG. 5 illustrates an example embodiment of control system utilized to establish the control line as a module select. This is but one possible example embodiment and as such, one of ordinary skill in the art may arrive at other configurations which do not depart from the scope of the claims. In this embodiment the two,line interface path 504 may connect tologic 508, which may optionally be equipped with memory. The signal on the twoline interface path 504 may set a memory location or other logic element in thelogic 508 to thereby generate an output to thelogic element 520. In the embodiment ofFIG. 5 ,element 520 comprises a AND gate and the input to the AND gate may be inverted to facilitate proper operation. In one embodiment as shown, the tx disableline 524 also connects to thelogic 508 which, when combined with the signal on path 540, forces thelogic 508 to output a signal toelement 520. However, in other embodiments the tx disableline 524 may not connect to thelogic 508 and, as a result, only the signals onpath 504 cause the logic to establish the output from the logic to thelogic element 520. - The
element 520, upon receiving only the transmit disable signal, treats the transmit disable input a signal instructing the module to shutdown or be disabled. In contrast, when the signal on the transmit disablepath 524 and the signal from thelogic 508 are both high, then the signal on the transmit disable path operates as a module select. It is contemplated that thelogic 508 andlogic element 520 may comprise any type logic, processor, ASCI, controller or any combination thereof that is capable of functioning as described herein. Theelements - In an alternative configuration, the combination of a particular two line interface signal via
path 504 in combination with the transit disable signal onpath 524 causes thelogic 508 to generate a module select signal thereby either disabling the module or enabling the module or the modules two line communication path or interface. By generating a module select signal with thelogic 508, a single module, from multiple modules connected to a host, may be activated at a particular time, thereby allowing the host to selectively change the address of a particular active module. - Operation of the system of
FIG. 5 is now discussed. During operation a particular signal may be sent to thelogic 508 viapath 504 to set the logic or a status bit. This signal changes operation of the control line, such as the tx disable line. This may occur, for all the modules, at the same time, to thereby disable the tx disable line of all modules from functioning as a module disable line. Instead a signal sent via the transmit disable path functions as a module select line. Accordingly, all of the modules may then be disabled, except for one, which may be enabled. - The host may then change the address of the enabled module via
path 504 by re-writing the address location with the new address. This may occur for each module to establish a unique address for each module. - After the one or more addresses for the modules are changed, the two
line interface path 504 may send a signal to the logic which restores operation of the tx disable path as a path for signals to disable the module, instead of serving as a module select line to facilitate module address changes. - In one embodiment, to initiate the address change process, a command from the host to all of the modules is sent via the two line path. At this stage all the modules receive the command because all modules have the same address. The command instructs all modules to set a status bit or register value to enter a state wherein a signal on the transmit disable path may disable or enable the two wire communication interface of the module.
- Using the transmit disable path in this manner allows the host to select a particular module while disabling all others, to change the address of that particular module. This process may be repeated. After all modules have had their address changed, all the modules interfaces may be enabled and a command may be sent from host to the modules to restore operation of the transmit disable path to default mode.
-
FIG. 6 illustrates an exemplary memory structure for multilevel password protection within an optic module. This is but one possible embodiment of a multilevel password protection scheme for an optic module. In this embodiment auser input 604 is provided to aninterface 608. Theinterface 608 is configured to provide access or allow for attempted access by a user or other device to thememory 620. It is contemplated that a user may physically enter a password, such as with a keyboard, or another electronic device may electronically enter the password.Interfaces 608, such as a user interface, are generally understood in the art and hence not described in detail. - The
interface 608 connects to amemory controller 612, which in turn connects to thememory 620. Thememory controller 612 may also connect to one or moreadditional memories 622. Thememory controller 612, which may also be referred to as a memory interface, controls access to the memory and performs read/write control. In one embodiment, thememory controller 612 includes compare logic capable of comparing a password input by a user or other device via theinterface 608 with one or more passwords stored in a memory, such as thememory 612. Thememory controller 612 may also be configured with one or more registers or storage locations, such as thememory 620 ormemory 622. - The
memory 620 may comprise any type memory. Within thememory 620 are numerous memory locations which may be accessed via theinterface 608. To provided controlled or password based access to thememory 620, one or more password level control blocks 630A-630N are provided in memory to store memory access control data. Any number of access levels A through N may be provided where N is any whole number. - With reference to access
level 630A, which is stored itmemory 620, it containsvarious data fields memory locations 620. Other levels of access, which may be defined in any manner, are discussed below. With regard to thetop level access 630A, apassword field 634, a readaccess field 638, writeaccess field 642, and an address range field is provided. Thepassword field 634 is configured to store a password which, if input correctly to the memory controller, will grant access to the address range shown in the addressaccess range field 646. For example, inaccess level block 630A, which is the top level access, the user would have access to all memory locations because the values or data located infield 646 indicates access to all accessible memory locations. - Read
access field 638 stores data, such as a bit or flag, that controls whether the user having the matching password offield 634 has capability to read from the memory locations set forth in the addressaccess range field 646. Writeaccess field 642 stores data, such as a bit or flag, that controls whether a user having or using the matching password offield 634 has capability to write from the memory locations set forth in the addressaccess range field 646. Hence, selective read and write control may be provided to users depending on the password level to which they are granted. Asaccess level block 630A is a top level access, it is contemplated that the user would have both read and write capability. -
Field 646 comprises the address access range that corresponds to the password infield 634. The range of addresses to which a user having or entering the password may be defined as any range, or select group of memory locations, which need not be consecutive. Inblock 630A, which is the top level access, all memory addresses may be fully accessible. -
Access level block 630B is generally similar to block 630A, but it is not a top level access, i.e. it may or may not grant full access to all memory locations within the memory. Aunique level 1 password may be stored infield 634B. This password, if correctly supplied, grants a user access to the address range or address list inaccess range field 646B. The read access field and writeaccess field 638B, 642B control the type of access granted by thepassword level 1. Namely, field 624B indicates whether read access is granted whilefield 642B grants whether write access is granted. - The
memory 620 may contain any number of different access level blocks 630N to provide the desired level of memory control resolution as desired. In this manner, different users or individuals having access to the memory may be granted different levels or degrees of access to the memory which is controlled by the passwords. This controls access, to sensitive or private data and settings, to those with proper authority to view such information. The access to memory may overlap because eachaccess range 642 is independent of the other access ranges. - It is further contemplated that each access level may have additional passwords and associated address access ranges. For example, a vendor may require access to the optic module, but the vendor may want different levels of access control. Hence, for a particular access level associated with that vendor, a first access level password may grant access to a first address range while a second password may grant access to a second address range. Hence, a vendor manager may receive access to all the vendor specific address ranges while a vendor technician may receive access only a limited subset of the addresses granted to the manager. It is thus contemplated that each access level may have multiple passwords each of which grant access to different or overlapping memory addresses. In one embodiment, the passwords are stair stepped to grant sequentially greater access. In this way, a first password will grant access to a first address group, a second password will grant access to a second address group, which provides greater access than the first address group. This stair step access may continue to any number of levels. In other embodiments, the access granted by each password may not overlap with other ranges.
- Method of Operation
- During operation, an optic module with password control is provided. To selectively control access to the memory locations, and hence the data stored therein, an access control scheme is provided as described herein. Prior to use, various levels of access are established using the user interface or other mean, such as prior to or after install, or during manufacture. In this embodiment a top access level in addition to
level 1 through level N are established with passwords and stored infields 634 through 634N for the various access levels. For each access level, address access will be established and stored infields 646 through 646N. - After set up, a user attempting to access the memory of the optic module would provide a password via the
user input 604 and theinterface 608. Thememory controller 612 may receive the password and perform a comparison to the passwords stored and located in thememory 620 in the memory locations 634-634N. Alternatively the access level data may be stored inmemory 622. If the comparison returns a match between an access level password and the password input by the user, then user is granted access to the memory locations associated with that access level. For example, if the password typed in by the user matches the address located inlevel 1 634B, then the user would be granted access to the memory addresses stored infield 646B. Additional passwords may be entered to gain greater or different access to the data stored in the memory. A similar password comparison process would occur. - Read and write access would be controlled by the
fields 638B and 642B. It is contemplated that an appropriate software and screen display interface may be provided to accept the password, and provide interaction between the system and the user. If the comparison does not result in a match, then the user is denied access to the memory. - While various embodiments of the invention have been described, it will be apparent to those of ordinary skill in the art that many more embodiments and implementations are possible that are within the scope of this invention. In addition, the various features, elements, and embodiments described herein may be claimed or combined in any combination or arrangement.
Claims (18)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11/483,252 US8239919B2 (en) | 2006-07-06 | 2006-07-06 | Flexible hardware password protection and access control |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11/483,252 US8239919B2 (en) | 2006-07-06 | 2006-07-06 | Flexible hardware password protection and access control |
Publications (2)
Publication Number | Publication Date |
---|---|
US20080022363A1 true US20080022363A1 (en) | 2008-01-24 |
US8239919B2 US8239919B2 (en) | 2012-08-07 |
Family
ID=38972898
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/483,252 Active 2030-01-05 US8239919B2 (en) | 2006-07-06 | 2006-07-06 | Flexible hardware password protection and access control |
Country Status (1)
Country | Link |
---|---|
US (1) | US8239919B2 (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090099669A1 (en) * | 2005-06-03 | 2009-04-16 | Neophotonics Corporation | Monitoring and control of electronic devices |
US20090154918A1 (en) * | 2007-12-12 | 2009-06-18 | Adva Ag Optical Networking | Data transport system with an embedded communication channel |
US20090304384A1 (en) * | 2008-06-05 | 2009-12-10 | Wen Li | Intelligent pluggable transceiver stick capable of diagnostic monitoring and optical network management |
CN102055521A (en) * | 2009-11-11 | 2011-05-11 | 中兴通讯股份有限公司 | Control method and control device for reading-writing optical module information, and optical module |
US8826394B1 (en) * | 2012-03-20 | 2014-09-02 | Intellectual Ventures Fund 79 Llc | Methods, devices, and mediums associated with security access requested on an as-needed basis |
US10826906B2 (en) * | 2018-05-10 | 2020-11-03 | Nidec Motor Corporation | System and computer-implemented method for controlling access to communicative motor |
US20210334361A1 (en) * | 2020-04-28 | 2021-10-28 | Alibaba Group Holding Limited | Processing apparatus, embedded system, system-on-chip, and security control method |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US12067261B2 (en) * | 2021-07-15 | 2024-08-20 | Rambus Inc. | Serial presence detect logging |
Citations (24)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5742683A (en) * | 1995-12-19 | 1998-04-21 | Pitney Bowes Inc. | System and method for managing multiple users with different privileges in an open metering system |
US5956168A (en) * | 1997-08-14 | 1999-09-21 | Finisar Corporation | Multi-protocol dual fiber link laser diode controller and method |
US6317836B1 (en) * | 1998-03-06 | 2001-11-13 | Tv Objects Limited Llc | Data and access protection system for computers |
US6643777B1 (en) * | 1999-05-14 | 2003-11-04 | Acquis Technology, Inc. | Data security method and device for computer modules |
US6661940B2 (en) * | 2000-07-21 | 2003-12-09 | Finisar Corporation | Apparatus and method for rebroadcasting signals in an optical backplane bus system |
US6668323B1 (en) * | 1999-03-03 | 2003-12-23 | International Business Machines Corporation | Method and system for password protection of a data processing system that permit a user-selected password to be recovered |
US6707600B1 (en) * | 2001-03-09 | 2004-03-16 | Finisar Corporation | Early warning failure detection for a lasing semiconductor optical amplifier |
US6740864B1 (en) * | 2002-04-30 | 2004-05-25 | Finisar Corporation | Method and apparatus for monitoring optical switches and cross-connects |
US6801555B1 (en) * | 1999-04-26 | 2004-10-05 | Finisar Corporation | Lasing semiconductor optical amplifier with output power monitor and control |
US6837625B2 (en) * | 2002-06-24 | 2005-01-04 | Finisar Corporation | Flexible seal to reduce optical component contamination |
US6852966B1 (en) * | 2002-09-27 | 2005-02-08 | Finisar Corporation | Method and apparatus for compensating a photo-detector |
US6868104B2 (en) * | 2001-09-06 | 2005-03-15 | Finisar Corporation | Compact laser package with integrated temperature control |
US6888123B2 (en) * | 2003-05-09 | 2005-05-03 | Finisar Corporation | Method and apparatus for monitoring a photo-detector |
US6912361B2 (en) * | 2002-10-08 | 2005-06-28 | Finisar Corporation | Optical transceiver module with multipurpose internal serial bus |
US6918044B1 (en) * | 1999-10-15 | 2005-07-12 | Cisco Technology, Inc. | Password protection for high reliability computer systems |
US6941077B2 (en) * | 2001-02-05 | 2005-09-06 | Finisar Corporation | Memory mapped monitoring circuitry for optoelectronic device |
US6956643B2 (en) * | 2002-10-30 | 2005-10-18 | Finisar Corporation | Apparatus and method for testing optical transceivers |
US6967320B2 (en) * | 2002-02-12 | 2005-11-22 | Finisar Corporation | Methods for maintaining laser performance at extreme temperatures |
US7031574B2 (en) * | 2002-07-10 | 2006-04-18 | Finisar Corporation | Plug-in module for providing bi-directional data transmission |
US7039082B2 (en) * | 2002-11-05 | 2006-05-02 | Finisar Corporation | Calibration of a multi-channel optoelectronic module with integrated temperature control |
US20060112246A1 (en) * | 2003-04-04 | 2006-05-25 | Werner Boning | Program-controlled unit |
US7066746B1 (en) * | 2001-10-04 | 2006-06-27 | Finisar Corporation | Electronic module having an integrated latching mechanism |
US7152693B2 (en) * | 2003-05-30 | 2006-12-26 | International Business Machines Corporation | Password security utility |
US7174437B2 (en) * | 2003-10-16 | 2007-02-06 | Silicon Graphics, Inc. | Memory access management in a shared memory multi-processor system |
-
2006
- 2006-07-06 US US11/483,252 patent/US8239919B2/en active Active
Patent Citations (27)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5742683A (en) * | 1995-12-19 | 1998-04-21 | Pitney Bowes Inc. | System and method for managing multiple users with different privileges in an open metering system |
US5956168A (en) * | 1997-08-14 | 1999-09-21 | Finisar Corporation | Multi-protocol dual fiber link laser diode controller and method |
US6317836B1 (en) * | 1998-03-06 | 2001-11-13 | Tv Objects Limited Llc | Data and access protection system for computers |
US6668323B1 (en) * | 1999-03-03 | 2003-12-23 | International Business Machines Corporation | Method and system for password protection of a data processing system that permit a user-selected password to be recovered |
US6801555B1 (en) * | 1999-04-26 | 2004-10-05 | Finisar Corporation | Lasing semiconductor optical amplifier with output power monitor and control |
US6643777B1 (en) * | 1999-05-14 | 2003-11-04 | Acquis Technology, Inc. | Data security method and device for computer modules |
US6918044B1 (en) * | 1999-10-15 | 2005-07-12 | Cisco Technology, Inc. | Password protection for high reliability computer systems |
US6661940B2 (en) * | 2000-07-21 | 2003-12-09 | Finisar Corporation | Apparatus and method for rebroadcasting signals in an optical backplane bus system |
US6941077B2 (en) * | 2001-02-05 | 2005-09-06 | Finisar Corporation | Memory mapped monitoring circuitry for optoelectronic device |
US7079775B2 (en) * | 2001-02-05 | 2006-07-18 | Finisar Corporation | Integrated memory mapped controller circuit for fiber optics transceiver |
US7050720B2 (en) * | 2001-02-05 | 2006-05-23 | Finisar Corporation | Integrated memory mapped controller circuit for fiber optics transceiver |
US6957021B2 (en) * | 2001-02-05 | 2005-10-18 | Finisar Corporation | Optical transceiver with memory mapped locations |
US6707600B1 (en) * | 2001-03-09 | 2004-03-16 | Finisar Corporation | Early warning failure detection for a lasing semiconductor optical amplifier |
US6868104B2 (en) * | 2001-09-06 | 2005-03-15 | Finisar Corporation | Compact laser package with integrated temperature control |
US7066746B1 (en) * | 2001-10-04 | 2006-06-27 | Finisar Corporation | Electronic module having an integrated latching mechanism |
US6967320B2 (en) * | 2002-02-12 | 2005-11-22 | Finisar Corporation | Methods for maintaining laser performance at extreme temperatures |
US6740864B1 (en) * | 2002-04-30 | 2004-05-25 | Finisar Corporation | Method and apparatus for monitoring optical switches and cross-connects |
US6837625B2 (en) * | 2002-06-24 | 2005-01-04 | Finisar Corporation | Flexible seal to reduce optical component contamination |
US7031574B2 (en) * | 2002-07-10 | 2006-04-18 | Finisar Corporation | Plug-in module for providing bi-directional data transmission |
US6852966B1 (en) * | 2002-09-27 | 2005-02-08 | Finisar Corporation | Method and apparatus for compensating a photo-detector |
US6912361B2 (en) * | 2002-10-08 | 2005-06-28 | Finisar Corporation | Optical transceiver module with multipurpose internal serial bus |
US6956643B2 (en) * | 2002-10-30 | 2005-10-18 | Finisar Corporation | Apparatus and method for testing optical transceivers |
US7039082B2 (en) * | 2002-11-05 | 2006-05-02 | Finisar Corporation | Calibration of a multi-channel optoelectronic module with integrated temperature control |
US20060112246A1 (en) * | 2003-04-04 | 2006-05-25 | Werner Boning | Program-controlled unit |
US6888123B2 (en) * | 2003-05-09 | 2005-05-03 | Finisar Corporation | Method and apparatus for monitoring a photo-detector |
US7152693B2 (en) * | 2003-05-30 | 2006-12-26 | International Business Machines Corporation | Password security utility |
US7174437B2 (en) * | 2003-10-16 | 2007-02-06 | Silicon Graphics, Inc. | Memory access management in a shared memory multi-processor system |
Cited By (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090099669A1 (en) * | 2005-06-03 | 2009-04-16 | Neophotonics Corporation | Monitoring and control of electronic devices |
US8126577B2 (en) | 2005-06-03 | 2012-02-28 | Neophotonics Corporation | Monitoring and control of electronic devices |
US8666518B2 (en) | 2005-06-03 | 2014-03-04 | Neophotonics Corporation | Monitoring and control of electronic devices |
US20090154918A1 (en) * | 2007-12-12 | 2009-06-18 | Adva Ag Optical Networking | Data transport system with an embedded communication channel |
US8358934B2 (en) * | 2007-12-12 | 2013-01-22 | Adva Ag Optical Networking | Data transport system with an embedded communication channel |
US20090304384A1 (en) * | 2008-06-05 | 2009-12-10 | Wen Li | Intelligent pluggable transceiver stick capable of diagnostic monitoring and optical network management |
US7974537B2 (en) * | 2008-06-05 | 2011-07-05 | Finisar Corporation | Intelligent pluggable transceiver stick capable of diagnostic monitoring and optical network management |
CN102055521A (en) * | 2009-11-11 | 2011-05-11 | 中兴通讯股份有限公司 | Control method and control device for reading-writing optical module information, and optical module |
US8826394B1 (en) * | 2012-03-20 | 2014-09-02 | Intellectual Ventures Fund 79 Llc | Methods, devices, and mediums associated with security access requested on an as-needed basis |
US10826906B2 (en) * | 2018-05-10 | 2020-11-03 | Nidec Motor Corporation | System and computer-implemented method for controlling access to communicative motor |
US20210334361A1 (en) * | 2020-04-28 | 2021-10-28 | Alibaba Group Holding Limited | Processing apparatus, embedded system, system-on-chip, and security control method |
US11899781B2 (en) * | 2020-04-28 | 2024-02-13 | Alibaba Group Holding Limited | Processing apparatus, embedded system, system-on-chip, and a security control method for inter-enclave data transmission |
Also Published As
Publication number | Publication date |
---|---|
US8239919B2 (en) | 2012-08-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8239919B2 (en) | Flexible hardware password protection and access control | |
US7721012B2 (en) | Reprogrammable device address for a serial interface in an optic module | |
US6058446A (en) | Network terminal equipment capable of accommodating plurality of communication control units | |
US6600723B1 (en) | Process for testing and ensuring the availability of a networked system | |
US8199157B2 (en) | System on chip including an image processing memory with multiple access | |
US8950006B2 (en) | Method for access to a portable memory data support with auxiliary module and portable memory data support | |
AU2017245363B2 (en) | Human interface device switch with security function | |
US20040177266A1 (en) | Data processing system with peripheral access protection and method therefor | |
US20080028227A1 (en) | Information processing system, information processing apparatus, mobile terminal and access control method | |
US11284340B2 (en) | Electronic devices with multi-connectors and methods thereof | |
US9304943B2 (en) | Processor system and control method thereof | |
US10275017B2 (en) | Power circuit and memory device using the same | |
US10037206B2 (en) | Methods and systems for state switching | |
US20060261796A1 (en) | Apparatus and method for generating variable constant voltage | |
US7694152B2 (en) | Memory controller with performance-modulated security | |
JP4681837B2 (en) | Control device, smart card read activation device and related products | |
US20080235428A1 (en) | Method and system for dynamic switching between multiplexed interfaces | |
US6753758B2 (en) | System and method for switching voltage | |
US20060093370A1 (en) | Configurable optical transceiver feature specific cost transaction | |
US8783576B2 (en) | Memory card having multiple interfaces and reset control method thereof | |
US5805904A (en) | Power control circuit of at least one computer expansion slot | |
KR20060075128A (en) | Apparatus and method for controlling a supply power voltage in multi-interfacing card | |
KR101697274B1 (en) | Hardware secure module, hardware secure system, and method for operating hardware secure module | |
US7100034B2 (en) | System for selecting another processor to be the boot strap processor when the default boot strap processor does not have local memory | |
US20200112339A1 (en) | Circuit, method and apparatus for performing near-field communication |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: MINDSPEED TECHNOLOGIES, INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:LE, MIKE;JONES, KEITH R.;SADA, GILBERTO I.;SIGNING DATES FROM 20060830 TO 20060905;REEL/FRAME:018342/0685 Owner name: MINDSPEED TECHNOLOGIES, INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:LE, MIKE;JONES, KEITH R.;SADA, GILBERTO I.;REEL/FRAME:018342/0685;SIGNING DATES FROM 20060830 TO 20060905 |
|
FEPP | Fee payment procedure |
Free format text: PAYOR NUMBER ASSIGNED (ORIGINAL EVENT CODE: ASPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
AS | Assignment |
Owner name: JPMORGAN CHASE BANK, N.A., AS ADMINISTRATIVE AGENT Free format text: SECURITY INTEREST;ASSIGNOR:MINDSPEED TECHNOLOGIES, INC.;REEL/FRAME:032495/0177 Effective date: 20140318 |
|
AS | Assignment |
Owner name: GOLDMAN SACHS BANK USA, NEW YORK Free format text: SECURITY INTEREST;ASSIGNORS:M/A-COM TECHNOLOGY SOLUTIONS HOLDINGS, INC.;MINDSPEED TECHNOLOGIES, INC.;BROOKTREE CORPORATION;REEL/FRAME:032859/0374 Effective date: 20140508 Owner name: MINDSPEED TECHNOLOGIES, INC., CALIFORNIA Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:JPMORGAN CHASE BANK, N.A.;REEL/FRAME:032861/0617 Effective date: 20140508 |
|
AS | Assignment |
Owner name: M/A-COM TECHNOLOGY SOLUTIONS HOLDINGS, INC., MASSA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:MINDSPEED TECHNOLOGIES, INC.;REEL/FRAME:037274/0238 Effective date: 20151210 |
|
FPAY | Fee payment |
Year of fee payment: 4 |
|
AS | Assignment |
Owner name: MACOM TECHNOLOGY SOLUTIONS HOLDINGS, INC., MASSACH Free format text: CHANGE OF NAME;ASSIGNOR:M/A-COM TECHNOLOGY SOLUTIONS HOLDINGS, INC.;REEL/FRAME:039164/0638 Effective date: 20160601 |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 8 |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 12TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1553); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 12 |